Bug 1565778 - [DOCS] egress documentation is focused around multi-tenant [NEEDINFO]
Summary: [DOCS] egress documentation is focused around multi-tenant
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: brice
QA Contact: Meng Bo
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-10 18:56 UTC by Ruchika K
Modified: 2018-07-19 04:14 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-19 04:14:13 UTC
Target Upstream Version:
bfallonf: needinfo? (rkharwar)


Attachments (Terms of Use)

Description Ruchika K 2018-04-10 18:56:49 UTC
Document URL: 
https://docs.openshift.com/container-platform/3.9/admin_guide/managing_networking.html#admin-guide-limit-pod-access-egress

Section Number and Name: 
The documentation focuses around the multitenant plugin. With the network policy plugin now fully supported and being the popular choice as per the community, it is not clear if egress policies must ONLY need multitenant plugin or will they work with the network policy plugin also.

Describe the issue: 
Customers are confused what the caveats are and how to pick out what is relevant if they use the network policy plugin.

Suggestions for improvement: 
If lines could be added on how things would differ if the network policy plugin is used it would greatly makes things clearer.

Additional information:

Comment 2 Ben Bennett 2018-06-20 10:55:10 UTC
Ravi: Does the egress firewall work with all three of our SDN plugins?  Thanks.

Comment 3 Ravi Sankar 2018-06-21 16:02:59 UTC
Yes, egress network policy is compatible with all three SDN plugins. Keep in mind that networkpolicy plugin provides granular isolation (namespace or pod selector). Currently egress network policy can only be applied at the namespace level with some caveats: only one egress np for namespace allowed, namespace that share network with other namespaces are not allowed and global namespaces are not allowed.

Comment 4 Ravi Sankar 2018-06-21 16:34:38 UTC
Correction to my previous comment, I gave contradicting statement: egress np compatible with all 3 SDN plugins but global namespaces are not allowed. Subnet network plugin only has global namespaces.

So the correct answer: egress network policy is compatible with 2 SDN plugins: multitenant and networkpolicy plugins.

Comment 5 brice 2018-06-26 04:31:19 UTC
Thanks, Ben, Rajat

I've created a PR for this:

https://github.com/openshift/openshift-docs/pull/10421

Most of the caveats Rajat mentions is already there in an admonition, so I extended on that with the rest of the info.

Ruchika, can I verify that the information you're requesting is in the PR? I don't think writing the docs as though network policy is the one the reader will be using, because it is not yet the default. Once that happens, then I'd agree the docs would need a rewrite.

Comment 6 brice 2018-06-28 01:52:14 UTC
Hmm looks like Ruchika's account has shut down. I think the information needed is there, so I'll move forward with this BZ, but if anyone watching has thoughts on the PR, please let me know.

Comment 7 openshift-github-bot 2018-06-29 00:59:51 UTC
Commit pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/dd15654b7c12b619bf0d16bd105e2f3fddeb9066
Merge pull request #10421 from bfallonf/egressnetwork_1565778

Bug 1565778 Added caveats about egress policy and networkpolicy plugin


Note You need to log in before you can comment on or make changes to this bug.